Computing Services and Systems Development SAC PA Human Subject Research Data Security Review Process Presenter: Scott Weinman, CISSP, CISA, CPA, MBA, MS June 15, 2018
Computing Services and Systems Development Agenda • Pitt’s Journey • Current Process • Data Security Form • Future Process • Automate based on risk • Takeaways
Computing Services and Systems Development Pitt’s Journey • 2015 – Pitt CSSD Security was asked to develop a research security review process by the Institutional Review Board (IRB) • Developed a relationship with the Pitt’s IRB • Inserted into IRB review process as an ancillary reviewer • Continue to refine and automate the process based on risk
Computing Services and Systems Development Current Process – Data Security Review • Researchers submit a data security form with each study submission • CSSD Security reviews and provides guidance • CSSD Security approves once the researcher and Security agree the appropriate level of controls will be implemented
Computing Services and Systems Development Current Process – Data Security Form • Word Document divided into 4 sections • Identifiers collected and coded • Technologies used • Storage used • Data lifecycle
Computing Services and Systems Development Current Process – Data Security Form • Identifiers Collected - Identifiers • 18 HIPAA identifiers • Other unique identifiers
Computing Services and Systems Development Current Process – Data Security Form • Identifiers Collected – Coded • Removing all identifiers? • Identifiable data stored separately from de-identified? • Is the data sensitive?
Computing Services and Systems Development Current Process – Data Security Form • Technologies Used – Mobile Apps • Identifiable data? • GPS • Registration • Other access • How protected? • Device • Access • Encrypted • Transmitted • Vendor Risk Assessment? • Privacy Policy?
Computing Services and Systems Development Current Process - Data Security Form • Technologies Used – Web based site/survey • Identifiable data? • How protected? • Encrypted • Transmitted • IP Address • Informed Consent • Vendor Risk Assessment?
Computing Services and Systems Development Current Process - Data Security Form • Technologies Used – Wearable Device • Identifiable data? • GPS • Registration • How protected? • Encrypted • Transmitted • Mobile App needed? • Privacy Policy?
Computing Services and Systems Development Current Process - Data Security Form • Technologies Used – Electronic Audio, Photographs, Video • Identifiable data? • GPS? • App used? • Sync in the cloud? • Privacy Policy? • Encryption? • Physical Security?
Computing Services and Systems Development Current Process - Data Security Form • Technologies Used – Text Messaging • Message Content • Survey? • Informed Consent
Computing Services and Systems Development Current Process - Data Security Form • Storage Used • Identifiable? • Storage • PC? • Server? • Cloud? • Other? • Workstation • Anti-virus? • Patched? • Encrypted? • Vendor Assessment?
Computing Services and Systems Development Current Process - Data Security Form • Data Lifecyle • Who will have access? • Who is responsible for data security? (Principal Investigator) • Breach notification plan in place? • Data retention plan in place?
Computing Services and Systems Development Future Process - Data Security Review • Data security form is being added into the IRB application as a web form – Edit checks to reduce omissions – Based on risk, certain combinations of data type, technologies, and storage locations will be automatically reviewed
Computing Services and Systems Development Future Process - Data Security Review Data Security Web Form • Upfront questions created to assist in assessing risk • Anonymous • Sensitive • Added Social Media
Computing Services and Systems Development Future Process – Data Security Review • Risk Matrix – Auto Review Criteria • Logic was built to auto review studies with certain data and technology combinations (red) • Other studies will continue to be manually reviewed (green)
Computing Services and Systems Development Takeaways • Build a relationship between the IRB and Data Security • Become part of the study review workflow • Develop a standardized form • Take a risk based approach to the reviews • Build a relationship with the research community
Computing Services and Systems Development Questions? Contact Information Scott Weinman University of Pittsburgh Email: sdw37@pitt.edu
Computing Services and Systems Development Thank You
Recommend
More recommend